Michele at Blacknight highlighted an important, ongoing issue for those using content management systems - Joomla included. She was writing about how earlier this year (July) a number of attacks were noted on Joomla run web sites. And I know from when I was using a different CMS to host an article directory, that I experienced problems at the begriming of the year, that resulted in a temporary disabling of my site. Fortunately, that attack was a fairly simple one to fix, but it caused me some frustration and headaches whilst I was figuring it out.

Because popular CMS are, well, popular, they become targets for less than ethical people trying to promote their own dubious sites (you can imagine the type). So, it’s up to the webmasters who use a CMS to keep on top of security.

The Joomla site has a checklist on security that is excellent. It covers installation, setup, and ongoing administrative matters. I would say it is required reading for anyone who has a Joomla website.

A lot of the suggestions on this page may seem a bit technical for some people, but they are worth persisting with. However, there are some suggestions even the least technically-minded person can use. These include:

  • use the latest, stable version of Joomla - keeping in mind that it sometimes takes a little while for the plugins you may need to catch up (for example, this could be an issue with Joomla 1.5).
  • be careful in your choice of web host. Web hosts themselves can introduce security vulnerabilities, that can be easily avoided. There is link to a list of recommended hosts on the page above.
  • delete all the left over installation files - particularly if you’re not using fantastico via cpanel to install joomla
    move your configuration file outside the Public_html folder. There’s a forum thread on how to do this here.
    http://forum.joomla.org/index.php/topic,122594.msg604266.html#msg604266
  • change the default user name for your admin user - simple but effective!
  • PHP5 is more secure, but the ability to use this will depend on whether your host is using it.
  • Don’t use PHP safe mode
  • Set the Register Globals Emulation off
  • Delete all design templates you’re not using for your site.

There’s a lot more at the checklist, especially on files, third party plugins (a major source of security breaches), and other more technical things. Don’t forget to check it out!

And you can subscribe to Joomla security related announcements here.